Abstract
We develop and simulate a dynamic model of investment in information security. The model is based on the recognition that both IT managers and users appreciate the trade-off between two of the fundamental characteristics of information security, namely confidentiality and availability. The model’s parameters can be clustered in a manner that allows us to categorize and compare the responses to shocks of various types of organizations. We derive the system’s stability conditions and find that they admit a wide choice of parameters. We examine the system’s responses to the same shock in confidentiality under different parameter constellations that correspond to various types of organizations. Our analysis illustrates that the response to investments in information security will be uniform in neither size nor time evolution.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security economics and the internal market. Report to the European Network and Information Security Agency, ENISA (2007), http://www.enisa.europa.eu/doc/pdf/report_sec_econ_&_int_mark_20080131.pdf
Beautement, A., Coles, R., Griffin, J., Ioannidis, C., Monahan, B., Pym, D., Sasse, A., Wonham, M.: Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security. In: Eric Johnson, M. (ed.) Managing Information Risk and the Economics of Security, Proc. WEIS 2008. Springer, Heidelberg (2008) (preliminary version), http://weis2008.econinfosec.org/papers/Pym.pdf
Giannoni, M.P., Woodford, M.: Optimal Interest-Rate Rules I: General Theory. Working Paper Series 9419, National Bureau of Economic Research, ISSU 9419, ISSN 0898-2937 (2002)
Gordon, L.A., Loeb, M.P.: The Economics of Information Security Investment. ACM Transactions on Information and Systems Security 5(4), 438–457 (2002)
Hamilton, J.D.: Time Series Analysis. Princeton University Press, New Jersey (1994)
Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338–349 (2006)
Loistl, O.: The Erroneous Approximation of Expected Utility by Means of Taylor’s Series Expansion: Analytic and Computational Results. American Economic Review 66(5), 904–910 (1976)
Nobay, R.A., Peel, D.A.: Optimal Discretionary Monetary Policy in a Model of Asymmetric Bank Preferences. Economic Journal 113(489), 657–665 (2003)
Willemson, J.: On the Gordon & Loeb Model for Information Security Investment. In: Proc. WEIS (2006), http://weis2006.econinfosec.org/docs/12.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ioannidis, C., Pym, D., Williams, J. (2009). Investments and Trade-offs in the Economics of Information Security. In: Dingledine, R., Golle, P. (eds) Financial Cryptography and Data Security. FC 2009. Lecture Notes in Computer Science, vol 5628. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03549-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-03549-4_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03548-7
Online ISBN: 978-3-642-03549-4
eBook Packages: Computer ScienceComputer Science (R0)